Last week was the tenth time I helped an organization that couldn’t send protected emails externally.

In other words, it’s worth a blog article.

It’s all about very common misconfiguration of Conditional Access.

The scenario is that (RMS) protected emails can be opened internally but if they are either sent or received externally, they can’t be opened in Outlook.

In all cases the issue and the reason for the problem has been that the sender’s organization have required MFA for all users to all cloud apps.

Multifactor Authentication (MFA) is in the most cases what we want to enforce to increase the security but in this case it simple doesn’t work.

Let me start to explain how to solve this issue.

If your MFA Conditional Access rule looks like the following you simply need to exclude the app Microsoft Azure Information Protection app from the specific rule.

All users	All Cloud apps	Require MFA

If you have any If you have other Conditional Access rules that require MFA against the app Microsoft Azure Information Protection you need to exclude this for external users.

A soon as the exclusion have been done, protected emails will be able to be opened (decrypted) in Outlook.

Let me explain why

Outlook as an App supports MFA. For example if MFA is required internally, you can sign-in to Outlook against you own organization with MFA. The problem comes when you need to decrypt a right protected message (rpmsg). One of the best thing with RMS encryption is that is works seamless with Office files both internally and externally. During decryption the authentication of your sign-in account in Office is used to verify your permissions against the organization that encrypted the content, both internally and externally (without any additional password/certificate that most 3-party solutions use).
The problem when you need to authenticate to decrypt a protected message that comes from an external organization is that Outlook uses the singed in account and its token to authenticate to the sender’s tenant. If MFA is required Outlook doesn’t support to re-authenticate to the sender’s organization with MFA against this tenant.